Results 1 - 10
of
1,517
Tor: The secondgeneration onion router,”
- in 13th USENIX Security Symposium. Usenix,
, 2004
"... Abstract We present Tor, a circuit-based low-latency anonymous communication service. This second-generation Onion Routing system addresses limitations in the original design by adding perfect forward secrecy, congestion control, directory servers, integrity checking, configurable exit policies, an ..."
Abstract
-
Cited by 1229 (33 self)
- Add to MetaCart
Abstract We present Tor, a circuit-based low-latency anonymous communication service. This second-generation Onion Routing system addresses limitations in the original design by adding perfect forward secrecy, congestion control, directory servers, integrity checking, configurable exit policies, and a practical design for location-hidden services via rendezvous points. Tor works on the real-world Internet, requires no special privileges or kernel modifications, requires little synchronization or coordination between nodes, and provides a reasonable tradeoff between anonymity, usability, and efficiency. We briefly describe our experiences with an international network of more than 30 nodes. We close with a list of open problems in anonymous communication. Overview Onion Routing is a distributed overlay network designed to anonymize TCP-based applications like web browsing, secure shell, and instant messaging. Clients choose a path through the network and build a circuit, in which each node (or "onion router" or "OR") in the path knows its predecessor and successor, but no other nodes in the circuit. Traffic flows down the circuit in fixed-size cells, which are unwrapped by a symmetric key at each node (like the layers of an onion) and relayed downstream. The Onion Routing project published several design and analysis papers Perfect forward secrecy: In the original Onion Routing design, a single hostile node could record traffic and later compromise successive nodes in the circuit and force them to decrypt it. Rather than using a single multiply encrypted data structure (an onion) to lay each circuit, Tor now uses an incremental or telescoping path-building design, where the initiator negotiates session keys with each successive hop in the circuit. Once these keys are deleted, subsequently compromised nodes cannot decrypt old traffic. As a side benefit, onion replay detection is no longer necessary, and the process of building circuits is more reliable, since the initiator knows when a hop fails and can then try extending to a new node. Separation of "protocol cleaning" from anonymity: Onion Routing originally required a separate "application proxy" for each supported application protocol-most of which were never written, so many applications were never supported. Tor uses the standard and near-ubiquitous SOCKS [32] proxy interface, allowing us to support most TCP-based programs without modification. Tor now relies on the filtering features of privacy-enhancing application-level proxies such as Privoxy No mixing, padding, or traffic shaping (yet): Onion Routing originally called for batching and reordering cells as they arrived, assumed padding between ORs, and in later designs added padding between onion proxies (users) and ORs Many TCP streams can share one circuit: Onion Routing originally built a separate circuit for each applicationlevel request, but this required multiple public key operations for every request, and also presented a threat to anonymity from building so many circuits; see Section 9. Tor multi-
The EigenTrust Algorithm for Reputation Management in P2P Networks
- in Proceedings of the 12th International World Wide Web Conference (WWW 2003
, 2003
"... Peer-to-peer file-sharing networks are currently receiving much attention as a means of sharing and distributing information. However, as recent experience with P2P networks such as Gnutella shows, the anonymous, open nature of these networks offers an almost ideal environment for the spread of self ..."
Abstract
-
Cited by 997 (23 self)
- Add to MetaCart
(Show Context)
Peer-to-peer file-sharing networks are currently receiving much attention as a means of sharing and distributing information. However, as recent experience with P2P networks such as Gnutella shows, the anonymous, open nature of these networks offers an almost ideal environment for the spread of self-replicating inauthentic files.
Random Key Predistribution Schemes for Sensor Networks”,
- IEEE Symposium on Security and Privacy,
, 2003
"... Abstract Efficient key distribution is the basis for providing secure communication, a necessary requirement for many emerging sensor network applications. Many applications require authentic and secret communication among neighboring sensor nodes. However, establishing keys for secure communicatio ..."
Abstract
-
Cited by 832 (12 self)
- Add to MetaCart
(Show Context)
Abstract Efficient key distribution is the basis for providing secure communication, a necessary requirement for many emerging sensor network applications. Many applications require authentic and secret communication among neighboring sensor nodes. However, establishing keys for secure communication among neighboring sensor nodes in a sensor network is a challenging problem, due to the scale of sensor nets, the limited computation and communication resources of sensors, their deployment in hostile environments yet their lack of tamper-resistant hardware. The limited computation resources of sensor nodes prevent using traditional key distribution mechanisms in sensor networks, such as Diffie-Hellman based approaches. Pre-distribution of secret keys among neighbors is generally not feasible, because we do not know which sensors will be neighbors after deployment. Pre-distribution of secret keys for all pairs of nodes is not viable due to the large number of sensors and the limited memory of sensor nodes. A new key distribution approach was proposed by Eschenauer and Gligor [11] to achieve secrecy for node-to-node communication: sensor nodes receive a random subset of keys from a key pool before deployment. In the field, neighboring nodes exchange information to find one common key within their random subset and use that key as their shared secret to secure subsequent communication. In this paper, we generalize the Eschenauer-Gligor key distribution approach. First, we propose two new mechanisms, the q-composite random key predistribution scheme and the multi-path key reinforcement scheme, which substantially increases the security of key setup such that an attacker has to compromise many more nodes to achieve a high probability to compromise communication. Second, we propose a new mechanism, random-pairwise keys scheme, to enable node-to-node authentication without involving a base station and perfect resilience against node capture. We also show how we enable distributed node revocation based on this scheme. To the best of our knowledge, no previous scheme supports efficient node-to-node authentication without involving a base station and distributed node revocation. We give detailed analysis and simulation results to each proposed scheme and show under which situations a scheme should be used to achieve the best security.
Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures
-
, 2003
"... We consider routing security in wireless sensor networks. Many sensor network routing protocols have been proposed, but none of them have been designed with security as agq1( We propose securitygcur forrouting in sensor networks, show how attacks agacks ad-hoc and peer-to-peer networks can be ..."
Abstract
-
Cited by 827 (3 self)
- Add to MetaCart
We consider routing security in wireless sensor networks. Many sensor network routing protocols have been proposed, but none of them have been designed with security as agq1( We propose securitygcur forrouting in sensor networks, show how attacks agacks ad-hoc and peer-to-peer networks can be adapted into powerful attacks agacks sensor networks, introduce two classes of novel attacks agacks sensor networks----sinkholes and HELLO floods, and analyze the security of all the major sensor networkrouting protocols. We describe crippling attacks against all of them and sug@(5 countermeasures anddesig considerations. This is the first such analysis of secure routing in sensor networks.
Tapestry: A Resilient Global-scale Overlay for Service Deployment
- IEEE Journal on Selected Areas in Communications
, 2004
"... We present Tapestry, a peer-to-peer overlay routing infrastructure offering efficient, scalable, locationindependent routing of messages directly to nearby copies of an object or service using only localized resources. Tapestry supports a generic Decentralized Object Location and Routing (DOLR) API ..."
Abstract
-
Cited by 598 (14 self)
- Add to MetaCart
(Show Context)
We present Tapestry, a peer-to-peer overlay routing infrastructure offering efficient, scalable, locationindependent routing of messages directly to nearby copies of an object or service using only localized resources. Tapestry supports a generic Decentralized Object Location and Routing (DOLR) API using a self-repairing, softstate based routing layer. This paper presents the Tapestry architecture, algorithms, and implementation. It explores the behavior of a Tapestry deployment on PlanetLab, a global testbed of approximately 100 machines. Experimental results show that Tapestry exhibits stable behavior and performance as an overlay, despite the instability of the underlying network layers. Several widely-distributed applications have been implemented on Tapestry, illustrating its utility as a deployment infrastructure.
Secure routing for structured peer-to-peer overlay networks
, 2002
"... Structured peer-to-peer overlay networks provide a sub-strate for the construction of large-scale, decentralized applications, including distributed storage, group com-munication, and content distribution. These overlays are highly resilient; they can route messages correctly even when a large fract ..."
Abstract
-
Cited by 473 (12 self)
- Add to MetaCart
(Show Context)
Structured peer-to-peer overlay networks provide a sub-strate for the construction of large-scale, decentralized applications, including distributed storage, group com-munication, and content distribution. These overlays are highly resilient; they can route messages correctly even when a large fraction of the nodes crash or the network partitions. But current overlays are not secure; even a small fraction of malicious nodes can prevent correct message delivery throughout the overlay. This prob-lem is particularly serious in open peer-to-peer systems, where many diverse, autonomous parties without pre-existing trust relationships wish to pool their resources. This paper studies attacks aimed at preventing correct message delivery in structured peer-to-peer overlays and presents defenses to these attacks. We describe and eval-uate techniques that allow nodes to join the overlay, to maintain routing state, and to forward messages securely in the presence of malicious nodes. 1
LEAP: Efficient Security Mechanisms for Large-scale Distributed Sensor Networks
, 2003
"... Protocol), a key management protocol for sensor networks that is designed to support in-network processing, while at the same time restricting the security impact of a node compromise to the immediate network neighborhood of the compromised node. The design of the protocol is motivated by the observ ..."
Abstract
-
Cited by 469 (22 self)
- Add to MetaCart
(Show Context)
Protocol), a key management protocol for sensor networks that is designed to support in-network processing, while at the same time restricting the security impact of a node compromise to the immediate network neighborhood of the compromised node. The design of the protocol is motivated by the observation that different types of messages exchanged between sensor nodes have different security requirements, and that a single keying mechanism is not suitable for meeting these different security requirements. LEAP supports the establishment of four types of keys for each sensor node – an individual key shared with the base station, a pairwise key shared with another sensor node, a cluster key shared with multiple neighboring nodes, and a group key that is shared by all the nodes in the network. The protocol used for establishing and updating these keys
The Sybil attack in sensor networks: Analysis & Defenses
- THIRD INTERNATIONAL SYMPOSIUM ON INFORMATION PROCESSING IN SENSOR NETWORKS, IPSN, 26 – 27 APRIL 2004 PAGE(S): 259 – 268
, 2004
"... Security is important for many sensor network applications. A particularly harmful attack against sensor and ad hoc networks is known as the Sybil attack [6], where a node illegitimately claims multiple identities. This paper system-atically analyzes the threat posed by the Sybil attack to wireless ..."
Abstract
-
Cited by 392 (1 self)
- Add to MetaCart
Security is important for many sensor network applications. A particularly harmful attack against sensor and ad hoc networks is known as the Sybil attack [6], where a node illegitimately claims multiple identities. This paper system-atically analyzes the threat posed by the Sybil attack to wireless sensor networks. We demonstrate that the attack can be exceedingly detrimental to many important functions of the sensor network such as routing, resource allocation, misbehavior detection, etc. We establish a classification of different types of the Sybil attack, which enables us to bet-ter understand the threats posed by each type, and better design countermeasures against each type. We then propose several novel techniques to defend against the Sybil attack, and analyze their effectiveness quantitatively.
Introducing Tarzan, a Peer-to-Peer Anonymizing Network Layer
, 2002
"... We introduce Tarzan, a peer-to-peer anonymous network layer that provides generic IP forwarding. Unlike prior anonymizing layers, Tarzan is flexible, transparent, decentralized, and highly scalable. Tarzan achieves these properties by building anonymous IP tunnels between an open-ended set of peers. ..."
Abstract
-
Cited by 387 (1 self)
- Add to MetaCart
(Show Context)
We introduce Tarzan, a peer-to-peer anonymous network layer that provides generic IP forwarding. Unlike prior anonymizing layers, Tarzan is flexible, transparent, decentralized, and highly scalable. Tarzan achieves these properties by building anonymous IP tunnels between an open-ended set of peers. Tarzan can provide anonymity to existing applications, such as web browsing and file sharing, without change to those applications. Performance tests show that Tarzan imposes minimal overhead over a corresponding non-anonymous overlay route.
Skipnet: A scalable overlay network with practical locality properties
, 2003
"... Abstract: Scalable overlay networks such as Chord, Pastry, and Tapestry have recently emerged as a flexible infrastructure for building large peer-to-peer systems. In practice, two disadvantages of such systems are that it is difficult to control where data is stored and difficult to guarantee that ..."
Abstract
-
Cited by 359 (5 self)
- Add to MetaCart
(Show Context)
Abstract: Scalable overlay networks such as Chord, Pastry, and Tapestry have recently emerged as a flexible infrastructure for building large peer-to-peer systems. In practice, two disadvantages of such systems are that it is difficult to control where data is stored and difficult to guarantee that routing paths remain within an administrative domain. SkipNet is a scalable overlay network that provides controlled data placement and routing locality guarantees by organizing data primarily by lexicographic key ordering. SkipNet also allows for both fine-grained and coarsegrained control over data placement, where content can be placed either on a pre-determined node or distributed uniformly across the nodes of a hierarchical naming subtree. An additional useful consequence of SkipNet’s locality properties is that partition failures, in which an entire organization disconnects from the rest of the system, result in two disjoint, but well-connected overlay networks. 1